Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 17 Dec 2004 13:26:54 -0600
From:      Paul Schmehl <pauls@utdallas.edu>
To:        freebsd-questions@FreeBSD.org
Subject:   Re: "ipfw count" equivalent for pf
Message-ID:  <B033DA8BFBA01939DD99B717@utd49554.utdallas.edu>
In-Reply-To: <20041217182908.GA50057@keyslapper.org>
References:  <b043a48504121611577801f1ef@mail.gmail.com> <20041217182908.GA50057@keyslapper.org>
next in thread | previous in thread | raw e-mail | index | archive | help 
--On Friday, December 17, 2004 01:29:09 PM -0500 Louis LeBlanc 
<FreeBSD@keyslapper.org> wrote:
>
> Control
> After boot, PF operation can be managed using the pfctl(8) program. Some
> example commands are:
>
>      # pfctl -f /etc/pf.conf     loads the pf.conf file
>      # pfctl -nf /etc/pf.conf    parse the file, but don't load it
>      # pfctl -Nf /etc/pf.conf    Load only the NAT rules from the file
>      # pfctl -Rf /etc/pf.conf    Load only the filter rules from the file
>
>      # pfctl -sn                 Show the current NAT rules
>      # pfctl -sr                 Show the current filter rules
>      # pfctl -ss                 Show the current state table
>      # pfctl -si                 Show filter stats and counters
>      # pfctl -sa                 Show EVERYTHING it can show
>
> For a complete list of commands, please see the pfctl(8) man page.
> --------
>
> HTH.  It certainly seems like changing nat and firewall rules on the fly
> are easier with pf.  As I read and played with it, it seems to be much
> easier, particularly when using tables and lists.
>
I'm curious what you think is easier about the above than:

ipfw show  (same as ipfw -a list)
ipfw -d list (show dynamic rules)
ipfw -S list (show the set each rule belongs to)
ipfw add 00400 allow blah
ipfw delete 00400
ipfw disable firewall
ipfw enable firewall
ipfw set disable (num)
ipfw set enable (num)

Etc., etc.

With ipfw you can add or delete rules on the fly as well.  I do it 
regularly.

If you want to reset counters to zero, use ipfw zero rulenum.  If you want 
to reset the log to zero, use ipfw resetlog rulenum.  (Or you can reset an 
entire set.)

Paul Schmehl (pauls@utdallas.edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?B033DA8BFBA01939DD99B717>